Use 27001 to meet the Hiscox recommendations

Tuesday 30th January 2018

ISO 27001 supports your cyber readiness

The Hiscox Cyber Readiness Report 2019 published in April 2019 shows that the number of firms reporting cyber incidents has risen from 45% last year to 61% in 2019. This adds further evidence to the need for businesses of all sizes to focus their attention on information security. However, add to the threat that the risks that could come from inside the organisation, the need to be prepared is paramount. Cyber attacks and breaches from criminals might make the headlines but an equal or greater risk can come from disgruntled or unaware employees, and this can cause problems. The World Economic Forum publishes interesting reports on cyber security; this one is worth a read: 7 steps to reducing the risk of a cyber attack.

Manage the problem

The following are some key aspects that the Hiscox Cyber readiness report has identified and how it compares to ISO 27001. 

Hiscox recommendation ISO 27001 Control Point 
Executive buy-in – cyber security is a priority for the board or proprietor Clause 5.1 defines requirements for Leadership and the need for the adoption of Information Security as a strategic decision for the organisation
Clear strategy set by multiple stakeholders within the business Clause 5.2 defines requirements for a Strategic Information Security policy for the organisation
Dedicated head of cyber or team Clause 5.3 defines requirements for Organisational roles, responsibilities and authorities
Adequate cyber budget – on average, experts spend over $1 million more on cyber than novices

Clause 6.2 defines the need to provide resources to achieve Information Security objectives

Clause 7.1 defines requirements to provide resources to manage the Information Security system and the activities within it

Regular evaluation of supply chain, security KPIs in supply contracts

Clause 8 defines requirements to set operational controls for all aspects of Information Security including the management of the supply chain

The Statement of Applicability identifes several areas where supplier contracts and external providers should be managed, including the need to share policies, clear access management, information transfer procedures, as well as a major requirements in Control point A.15 for Supplier Relationships

Process – ability to track, document, measure impact  Clause 9 defines requirements for monitoring and measuring systems and information assets, including the need to log and monitor events or incidents
Cyber awareness training throughout the workforce Clause 7.2 defines the need to determine required competency levels and provide education, training and experience as necessary to all relevant workers
Proactive testing – through simulated attacks Clause 8 sets out requirements for the management of operational planning and control, including risk assessment and the need to put treatments in place. Part of the overall capability development might include proactive testing of systems, using penetration testing or simulated attacks. Remember that testing will ensure the process works, but exercising the process on a regular basis will hone the skills of the relevant employees  
Regular phishing experiments As above, Clause 8 sets out processes to treat risks, and when combined with the requirements of Clause 7.2, to provide training, regular experiments to phish can reveal useful insights and focus training on employees that need it
Readiness to learn, respond, and make changes after an incident

The ISO 27001 system is based on the principle of 'Plan-Do-Check-Act'. This simple approach to improving all aspects of the management system will, when properly applied, enhance the readiness of the organisation to learn and respond to incidents and make changes. 

Specifically though, Clause 10.2 sets out requirements that ensure the organisation reviews incidents and non-conformances to ensure the root cause is addressed and changes that are required are managed thoroughly and appropriately

Cyber insurance policy in place

Clause 6 defines requirements for actions to address information security risks and treatments, which might include insurance if the organisation deems that effective. 

Clause 8, which relates to Operations has requirements relative to Incident Management, which are further outlined in the Statement of Applicability (control point A16). Control point A17, which outlines Information Security aspects of Business Continuity may also be relevant in the choice to purchase insurance and ensure that the claim process is included in your procedures


Related Articles

How GDPR is protecting Personal Data
14 controls points required for ISO 27001
Comparing Cyber Essentials to ISO 27001

We hope this article has been helpful

If you have any further questions or want to learn more about what we can do for your business, please contact us using the link or details below:

CONTACT US

Tel: 01908 255 525
Email: sales@spedan.co.uk